Verizon CR200a in ip passthrough?
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Is that main switch also connected to the LAN NIC? Because that would then put everything in the same segment which is not valid.
If those are managed switches you can add a VLAN to carry the traffic from the modem and isolate it.
It is indeed. That would be the issue, then. The primary switch is managed, but the little switch out in my shop is not. Is it still possible to split things out into a VLAN, or do both need to be managed?
I've never set up a VLAN, is that complicated? My switch is a TPLink T1600G-28PS, if that tells you anything.
I see an option for MAC VLAN, which appears to be selectable by port. That looks promising... :)
-
Do you need access to the LAN at the smaller remote switch?
If you do that's an issue because since the small switch doesn't support VLANs the link between the switches will only ever be a single segment.
Unless maybe the modem supports VLANs in which case you could potentially send tagged and untagged traffic over the link. But that would get complex to setup!
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Do you need access to the LAN at the smaller remote switch?
I do, since my laser cutter needs to be accessible to/from that small switch. That was actually the whole reason I ran the hardline out to the shop instead of just doing a wifi extension. :/
If I had a managed switch in the shop also, would that solve the problem? How would that work? Do they 'talk', VLAN to VLAN or something? I honestly have no idea how that works, which I'm sure is painfully obvious. lol
EDIT: I have a Cisco 3560-CG Gigabit/POE+ switch that I could install out in the shop if that would help the situation. I know nothing about Cisco management, though. If it's not web-based, and rather straightforward, like the TP-Link, I may be out of my depth.
-
Yes if you have managed switches at both ends you can just create a VLAN have the modem traffic use that. It will be isolated from the LAN.
Yeah my experience with Cisco switches is...limited! But there are many people here on the forum who are every experienced with them.
-
@stephenw10 Excellent. I can install the Cisco swich in the shop, no problem.
Any thoughts on setting up the VLAN in general? I've never done one. Which type would be the easiest/best for this application? I'd like to send the traffic from the modem (that specific physical port) over the VLAN, and let all the other ports remain on the local LAN, right? Did you see anything in that last screenshot that looked likely? Or are you aware of a good resource for tutorials on setting up VLANs? I know everything is on YouTube, I just wouldn't know exactly what to search for... -
You have two choices at the pfSense end. You can add a VLAN on the LAN NIC then assign that as WAN2 interface. Or you can just use a separate NIC for that since you have spares and connect it to the switch.
The switch would need to be configured differently in each case.In both cases the link between the switches needs to carry the tagged WAN2 traffic on, say, VLAN 100 and the untagged LAN traffic.
In general you would create VLAN 100 in the switch then add it as tagged on the port linking the two switches. Add it as untagged on the port connected to the modem.
Then either as tagged on the port to the pfSense LAN if you added the VLAN in pfSense. Or as untagged on the port to the pfSense WAN2 if not. -
@stephenw10 OK, that sounded like French, but I'll go back and read it a few more times and see if it begins to make sense when I compare it to my GUI options. ;)
Thanks so much for your help! -
@stephenw10 So this is super weird. I noticed that my network was acting slower than usual, so I checked the interface status, and saw that suddenly my new "verizon" gateway had no IP address. I went out to the shop and looked, and it had no status lights on the bottom of the unit at the LAN port, even thought the unit itself was on and reporting good signal.
I decided to move it back inside temporarily, until I could get the new switch that would allow me to set up the VLAN as we discussed above.
I moved it back onto my primary LAN, so that it's only connected through my main switch. It's now Cellular modem -> switch -> pfsense. Although now that I type that, I think maybe that's still no better than before.
Regardless, when I plug it all back in, I'm still getting no IP address at all on the modem. This is weird, since earlier, I was getting an IP, it was just a LAN-type IP. Any idea what might be going on here? I assume the modem is still functioning correctly, since it's basically brand new, but otherwise, what could be causing it to suddenly refuse to pull the IP, even the 'wrong' one?
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way?
-
You should not have that modem connected to a LAN side switch directly without a VLAN in place. Doing that means it 'competes' with pfSense to be the router on that network. Other LAN devices may get an IP from the modem or start using a public IP even.
Having that NIC in pfSense (igb3) connected to the LAN switch without a VLAN is invalid. It can only get a lease from itself which then creates a subnet conflict between the Verizon and LAN subnets. So it's better it doesn't get an IP at all.
The only valid setup there without VLANs is to connect igb3 to the Verizon modem directly without any switch in between. It should then get an IP from the modem or from verizon upstream.
-
@stephenw10 yep! I added this edit above before I saw your reply...
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way? -
The easiest way is to simply set the System default gateway to the Verizon gateway in System > Routing > Gateways.
You can also setup a failover group with the Verizon gateway as the primary gateway and then set that group as the System Default.
Note you cannot set a load-balance group there. If you want to try that you need to policy route traffic via that.
-
@stephenw10 This appears to be working, thanks! I'll leave it like this for now, until I can get my new switch, and set up that VLAN. I really appreciate your assistance, but can't promise I won't need you again. :)
-
@stephenw10 So this is weird.
I have it up and running using the settings you suggested, and for the most part all is well. However, initial connection to sites is a little slow, and certain elements won't load at all. For example, when I hit google and do a search for whatever, that mostly works fine, but once I actually choose a result and visit a page, it seems to pause for a moment, almost like it's having trouble resolving the DNS record or something. This happens on many, but not all sites.
The other, more pressing issue is with YouTube. I can browse the site with no problem, but no videos will play. At all. Nothing. Any video I select just spins forever and never plays. I've tried turning off my ad blocker(s) and it makes no difference. I'm using adguard DNS on my local PC (in the NIC settings), but even changing that back to google or cloudflare DNS doesn't help.
Anything jump out at you as being an obvious cause of either of these issues? -
Something that can present like that is if you have IPv6 but only partially. A hosts device will almost always prefer IPv6 if it has a routable address and try to use it. If that's blocked or in some other way broken it has to timeout before falling back to IPv4.
-
@stephenw10 Do you mean on the modem, router, or my PC? It seems that all other devices in the home can access sites (and YouTube) without issue, it's just my desktop that is having trouble, so I assume it's on the client side. I've checked my network settings, and I don't think IPv6 is enable anywhere that I can see. Is there a way to check, or to definitively disable it?
I saw something last night about some having issues with the Verizon modem using IPv6 SLAAC, but that wasn't with IP Passthrough. I'm wondering if, since I didn't turn of v6 before enabling passthrough, it's somehow "leaking" v6 info through the connection. Is that even a thing? If so, would perhaps taking the device out of passthrough, turning off IPv6 entirely, then putting it back in passthrough perhaps help? Obviously, I'm grasping at straws here. lol
-
I mean on the local PC where you are seeing the delays. Though usually that would be because pfSense is passing it an IPv6 address.
Check Diag > DNS Lookup in pfSense. Are all the configured DNS servers responding?
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Check Diag > DNS Lookup in pfSense. Are all the configured DNS servers responding?
So it asks for a hostname to look up. What do I input there? Is that my DNS servers that I have specified on my client side? For example, I have adguard dns on my desktop PC. Would I input those server IPs, or something different? I've never used that tool before.
-
Any FQDN to resolve, so
www.pfsense.orgfor example.
-
@stephenw10 Ok, cool. So I looked up a couple different sites, and all came back with no issues. All loaded fine, and no errors were returned. I even tried youtube, and other than having a long record, it looked okay as well.
However, it still won't load any videos. I can browse the site just fine. All thumbnails load, and if I select a video to play, it will load the initial "cover image", but then it just sits there and spins.
I just found out while typing this that if I wait long enough, it will sometimes play! A video I had forgot I started began playing, at 144p. lol Once it started, I could select any resolution, and it would load just fine. I can even hop forward in the timeline, and it will immediately play, so it's having no issues streaming, it seems the problem is with the initial connection, or 'finding' the video stream. I know I'm saying it wrong, but I think you get the point. I swear it feels like a DNS issue, like it's hunting for the video amongst a big box of junk and is having trouble finding the right one. lol
What else could I check? I've already cleared cache and cookies back to the beginning of time, and tried a different browser, no difference.
-
It could potentially be an MTU issue on the new WAN. Like full sized packets are being blocked. Try pinging with large packets.
It could be an ad blocking issue. I see Youtube have upped their game today where I am.
